IT Assessments

IT Assessment

CGNET has provided IT assessment and planning for customers since its founding in 1983. We have conducted over 100 successful projects for customers ranging from a 10,000-user organization in 100 countries to a five-user organization in one location.

Types of assessments

CGNET has performed IT assessments of many kinds. Here are some examples, with links to discussions of each below

IT Strategic Assessment

An overall IT strategic assessment examines the past and current performance of an organization’s IT, in terms of technology, people and policies. It then compares this performance with the organization’s aspirations and recommends technologies, processes and policies to close the gap between promise and performance. The recommendations are then put into a multi-year execution plan.

What are the benefits?

A strategic assessment enables IT to act strategically. In particular, this means getting beyond IT agendas that are set by annual budget discussions. The IT strategy can lead budget discussions, rather than the other way around.

The IT strategic planning process also gets everybody in the organization on the same page. By considering the organization’s overall goals, the needs of departments and those of end users, the plan reflects the organization’s business needs, and the process gets everybody involved. This participation pays dividends in terms of buy-in and later adoption and justifies expenditures.

The needs assessment process, part of the overall effort, examines ongoing concerns about IT in the organization. This improves communication between IT and the rest of the organization.

In general, we expect the following results, if our recommendations are followed:

Aligning IT’s goals with the organization’s overall goals

More effective use of applications

A reliable Infrastructure with excellent performance

Better security

How does it work?

An engagement usually begins with CGNET working with the organization to define the needed work. From the beginning, we work in close cooperation with the organization to ensure that the scope and timing of the project is right.

The next step is to collect information about the existing system. This is usually done by looking at documents such as policies and network diagrams and by discussing the system with the people in the organization responsible for IT.

At about the same time, we usually begin security testing, which usually involves vulnerability scanning and network monitoring for advanced persistent threats. After the tests are completed, we discuss the results with the organization, including making recommendations for any necessary remediation.

We then perform a needs assessment, based on the information collected above plus interviews with the appropriate executives and end users. When the interviews are completed, we write a needs assessment report.

After the needs assessment report has been approved by the customer, we conduct any necessary research on products, policies and procedures. We then analyze the gap between current practices and the expressed needs and write a preliminary report. After discussing with the organization, this becomes a final report. We then present the report to the organization, as appropriate.

What do I get?

Deliverables for an IT strategic assessment include:

A final report that includes an executive summary, narrative on the activities conducted, the needs assessment, recommendations, and a three-year implementation roadmap

A presentation to executive management on the assessment findings and recommendations

Materials that can be used for presentation to the organization’s Board of Directors (CGNET can conduct this presentation if desired)

How much does it cost?

The cost of the overall IT assessment depends on the size of the organization and the scope of the project. In general, this can range from $20,000 to $80,000. We work with the client to provide the greatest benefits at the most appropriate cost.

Information Security Risk Assessment

This kind of assessment is more important now than ever. Despite your best efforts, there’s a real chance that some of the organization’s information is going to be compromised. There are plenty of news stories about leaked emails, lost laptops and stolen smart phones, all of which caused previously private information to be made public. Is your organization prepared to deal with this possibility? Do you have plans to minimize the chances of such information exposure? Most organizations don’t know the extent of sensitive information spread throughout the organization, haven’t implemented comprehensive controls to secure the information, and don’t know what they would do if information was made public. Preparation now can mean peace of mind later.

What are the benefits?

The organization gets a comprehensive view of its complete information security posture, rather than being influenced by events or the clamor of different security vendors. It prioritizes remediation measures and justifies their cost. The plan is also a demonstration of how the organization has adopted best practices for information security. This can have economic impacts for the organization, for instance if donor confidence is affected by such a demonstration. The plan can also be used to demonstrate aspects of regulatory compliance. Finally, the planning process helps sustain a dialogue with executive management about how information is shared and stored, so that information security concerns can be raised, addressed and given the priority they deserve.

CGNET first works with your organization to document what information, devices and applications exist that could be considered sensitive, where they exist, and how they are currently secured. Once this inventory of sensitive information assets has been developed, CGNET works with your organization to understand the severity of each class of security breach. For instance, disclosure of some kinds of information could have a financial impact, while others could have a reputational impact. Temporarily shutting down the organization’s operations, as with a denial-of-service attack, will affect some organizations more than others. CGNET then calculates the likelihood of each kind of breach occurring and combines this with the severity ratings to develop an information security risk matrix. By plotting each information asset on the matrix, controls to mitigate each risk can be prioritized. CGNET then compares the security practices that are in place with industry standard controls, determining what improvements should be made, in terms of the priorities of the risk matrix. Finally, the improvements are put onto a roadmap, to provide a comprehensive plan.

What do I get?

CGNET produces a report that addresses the following questions.

What information assets exist, where are they located, and how are they currently protected?

What is the kind (financial, reputational) and amount of risk for each asset?

How does the organization’s current security posture compare, risk by risk, with industry standards and best practices?

What should be done to close the gap between current and best performance, given the organization’s particular needs and resources, including technology, policies and procedures?

How should new and improved security controls be implemented over time?

What Does It Cost?

The cost for developing a Strategic Information Security Risk Assessment depends on the scope of the effort and the resulting time required. Usually, the cost in the $10,000 to $30,000 range.

Application Assessment

Sometimes, an organization wants to select a particular kind of application, such as an enterprise content management system, or software for collaboration, grants management, finance or customer relationship management. CGNET has helped organizations select each of these, and more.

What are the benefits?

Employing an experienced outside consultant like CGNET provides both a distanced view of the organization’s needs and familiarity with alternative solutions and how they have been implemented at similar organizations.

Once the process begins, it follows a tested methodology that simplifies the decision-making process and

consideration of alternatives, with evidence from concrete measures.

Engaging with demonstrations and pilot projects not only provides hands-on experience with alternatives before selecting a solution but also increases buy-in through active participation in seeing and using the solution before its adoption.

How does it work?

The application assessment methodology is like that of the overall IT assessment, but much more focused. It begins with a discussion with the individuals or committee in charge of making the selection to define what progress in the selection has been made so far. It then usually involves a needs assessment, centered around the needs the new application is supposed to satisfy. Once we complete the needs assessment interviews, we usually create an

abbreviated list of needs which the active organizational participants rank in importance.

Based on the ranked needs, CGNET examines the market for the products that most closely satisfy the needs. Usually, we schedule demonstrations of the top two to four products. Based on how the products fare in the demonstrations, the organization usually selects one for a pilot implementation. Depending on how the pilot goes, CGNET recommends a final product selection.

CGNET can also assist with the implementation of the application or find the appropriate vendor or consultant for this work.

What do I get?

Customer gets a report reviewing needs identified, applications considered and what solution has been recommended. Customer also gets support for demonstrating or testing applications.

How much does it cost?

The cost of an application assessment depends on the process we determine with the organization, but usually the

Infrastructure Assessment

We are in an infrastructure revolution, where the former model of client/server communications over a LAN is being

replaced, over time, with cloud-based and mobile applications. In addition, increasing security challenges demand an infrastructure providing confidentiality, integrity and availability. Thus, many of our assessments focus on an organization’s infrastructure.

Smaller organizations that may not have a full-time IT manager but instead hire an IT consultant to manage its infrastructure may benefit from a third-party assessment of the infrastructure’s state.

What are the benefits?

CGNET has more than 30 years’ experience examining clients’ infrastructures, and we also operate our own managed services in multiple co-location centers (both public and private cloud). Thus, our customers benefit from

our ongoing experience with many infrastructures, including our own.

We also apply a methodology that links infrastructure considerations to the strategic goals of the organization and provides a roadmap for implementing enhancements over time.

How does it work?

We begin with an assessment of current infrastructure, in terms of the goals the organization sets for the project. We turn then to an assessment of future needs and make recommendations for improvements.

The project usually begins with discussions with IT about the current infrastructure, its issues, and how they are thinking of changing it. If necessary, we do a broader needs assessment by interviewing others in the organization

. We then analyze appropriate diagrams, policies and procedures. For example, if the assessment includes plans to move to a new location, we will examine the general plans for the new location.

The central effort is an inspection of the current infrastructure, including testing of various components and configurations if necessary. We may also test and analyze the infrastructure’s security.

Following the inspection and tests, we will recommend alternatives for improving the infrastructure and put them in a timeline, which is often a three-year roadmap. We will also prepare a budget for the improvements.

What do I get?

All projects provide recommendations for an improved infrastructure, with alternatives, and estimates of costs. We

can also make presentations to the appropriate decision-making bodies in the organization, if needed.

How much does it cost?

The cost depends on the size of the organization and the scope of the project. Usually, the cost is between $20,000 and $60,000

IT Policy Assessment

All policies require strategic thinking, but IT policies also require technical expertise. We combine these to create the IT policies an organization needs.

What are the benefits?

Benefits are internal and external. Internally, policies coordinate expectations and practices around the subject, be it appropriate computer use, document retention, security or similar concerns. Staff know what to do when questions arise if they have a comprehensive policy.

Externally, policies inform partners, customers/beneficiaries and regulators about the organization’s commitment to their concerns, including, in some cases, compliance with laws and regulations.

How does it work?

Basically, we assess current policies and make recommendations for improvements. Some organizations will have

many policies; others will have none. The types of policies we usually examine include general IT and IT security policies, appropriate computer use policies, mobile device use policies, disaster recovery policies and document retention policies.

Depending on what CGNET and the organization decide is needed, the initial assessment may only involve examination of current policies and discussions with interested parties, or we may also decide to interview others across the organization or even outside the organization.

Following the needs assessment, we will recommend improvements to policies, which may include producing drafts of new policies which management at the organization can discuss, amend and approve

What do I get?

Often the deliverables are drafts of the needed policies, usually accompanied with some discussions about activities that the organization might want to undertake to implement the policies.

How much does it cost?

The cost of the project depends on the number of policies under review, but usually the cost is between $5,000 and $10,000.